Our review addresses conditions that existed while FIRMR applied,
discusses the effect of its rescission on SSAs current authority
to monitor calls, and recommends actions that SSA should take in
the absence of regulations.

The Omnibus Crime Control and Safe Streets Act of 1968, as amended,
18 U.S.C. sections 2510-2522, prohibit the intentional interception
of telephone communication by means of any electronic, mechanical,
or other device. However, there are two exceptions to this general
prohibition: (1) consent exception; and (2) business telephone
exception.

Consent Exception- Under this exception,
it is permissible to intercept and record telephone conversations
if one or both of the parties to the communication has given prior
consent to the interception.

Business Telephone Exception- This exception
permits telephone monitoring in a business setting if: (1) the
telephone or telephone equipment has been provided by the telephone
company or by the subscriber for connection to the subscribers
telephone service; and (2) the telephone or telephone equipment
must be used in the ordinary course of business. This provision
generally permits employers to monitor business related calls of
their employees without their consent.

FIRMR section 201-21.603 provided additional restrictions to limit
the circumstances under which Federal agencies were authorized to
listen to or record telephone conversations. FIRMR required:

Consensual Listening In - Agencies may only listen
to or record calls when at least one party to a telephone conversation
knows it is happening or has given prior consent.

Public Service Monitoring - Agencies may only listen
to or record calls when performed by an agency official to determine
the quality of service, but only after an analysis of alternatives
and a written determination by the agency head or a designee that
telephone conversation monitoring is required to perform the agency
mission.

FIRMR also required that each agency that conducted listening in
or recording associated with public service monitoring establish
controls and issue written policies and procedures that provided
for:

the agency head or designee to name in writing those agency officials
authorized to listen in to telephone conversations;

continuous positive action to inform the public of monitoring;

no recording of identifying information of the public callers;

keeping the number of monitored calls to the minimum necessary
to obtain a statistically valid sample;

conspicuous labeling of telephone instruments subject to monitoring;

no use of the information obtained by monitoring against the
public party; and

calling party consent for calls that are recorded.

Although FIRMR has been rescinded, we believe it recognized the
need to limit the circumstances for which monitoring is permitted
and provided Federal agencies essential guidelines to ensure it is
not abused. While SSA is no longer legally obligated to comply with
FIRMR, SSA officials informed us that it will continue to follow
it. We agree with that decision and believe that FIRMR provides a "best
business practice" necessary for the protection of privacy rights,
while at the same time allowing SSA to determine whether the public
is receiving world-class service.

Section 201-21.603 (b) of FIRMR stated that it applied only to consensual
listening in of telephone conversations. This required that at least
one party to a telephone conversation knew it was happening or had
given prior consent. FIRMR also required SSA to establish controls
and written policies and procedures covering seven areas, three of
which pertain to obtaining consent. SSA was required to: (1) take
continuous positive action to inform the public of monitoring; (2)
place conspicuous labeling of telephone instruments subject to monitoring;
and (3) obtain calling party consent for calls that are recorded.

In analyzing the FIRMR provisions for consensual listening in of
telephone conversations, we reviewed case law interpreting the consent
requirements for telephone monitoring under 18 U.S.C. sections 2510-2520.
Based on our analysis of the case law, the determination of whether
someone has consented to the monitoring of their telephone conversations
is dependent on a number of factors. Consent may take one of two
forms, express or implied. Express consent is not difficult to establish
because one of the parties expressly agrees to the monitoring. Implied
consent, on the other hand, cannot be casually inferred and is more
difficult to establish. The circumstances giving rise to implied
consent ordinarily include language or acts which tend to prove or
disprove that a party knows of, or assents to, encroachments on the
routine expectation that conversations are private. In addition,
knowledge of the capability of monitoring alone cannot be considered
implied consent. Lastly, implied consent is not necessarily an all
or nothing proposition. It can be of a limited nature, such as a
consent to monitor business, but not personal calls.

Based on our review of SSAs monitoring program, SSA may be
subject to legal challenges with respect to whether it has the necessary
employees or publics consent. SSA does not obtain the
express consent to monitor telephone calls from either the employees
or the calling public. Consequently, the required consent must be
implied. Although there are several factors to suggest that consent
can be implied, there are additional factors to suggest that SSA
may not have the required consent to monitor calls.

Employee Consent--With respect to SSA employees, the
circumstances that support implied consent are:

SSA usually requires that employees be notified when monitoring
will take place;

SSA labels telephones that are subject to monitoring;

SSA employees continue to use telephones that are subject to
monitoring; and

SSA and AFGE have negotiated procedures for telephone monitoring.

However, there are circumstances that may not support a finding
of implied consent. They include:

the monitoring of calls without notifying the employee;

the SSA/AFGE MOU which expressly states that an employees
utilization of a telephone subject to service observation (monitoring)
will not be construed as consent to being service observed.

Public Consent--With respect to public consent, the
only notification to the public about monitoring is a brief statement
in SSAs public information pamphlets that some telephone calls
may be monitored by a second SSA representative. Currently, an outside
caller to the SSA 800 number is given no notification of the possibility
of monitoring. We would agree that such notification might suffice
for any person who has actually read the SSA publications; however,
there is no legal requirement to read SSA publications. Consequently,
we do not believe that notification in SSA publications is evidence
of implied consent to telephone monitoring by every person who contacts
SSA.

In summary, SSA may have litigation risks in its telephone monitoring
practices. The implied consent from the public is questionable because
it is based on a presumed voluntary reading of SSA publications.
In addition, the implied consent obtained from SSA employees is questionable
in light of SSAs monitoring practices which allow monitoring
without notice and SSAs MOUs which acknowledge that employees utilization
of telephones should not be construed as implying employee consent.

Recommendation:

We recommend that SSA:

1. Take corrective actions to ensure that it meets the legal requirements
for consent. This could include actions such as:

Modifying the SSA/AFGE MOUs with respect to the provision
on employees consent for monitoring telephone conversations.

Including a message on the 800 number to request the consent
of the public to have their calls monitored.

SSA Comment

SSA believes the Office of the Inspector Generals (OIG) interpretation
of the statement concerning employees consent is inconsistent
with the purpose of the MOUs, which deal with the impact and implementation
of managements decision to conduct service observations (monitoring).
SSA also remarked that it has begun the process of promulgating regulations
which will address concerns regarding the parties consent of
service observation.

OIG Response

The Commissioners authorization for monitoring telephone calls
at SSA states that it is for the conduct of consensual public service
monitoring. In addition, it also states that the authorization may
be used only after SSA has fulfilled its duty to bargain with the
AFGE. The applicable MOUs specify the agreements between SSA and
the AFGE with respect to telephone monitoring. A general provision
of the MOUs is that employees do not consent to being monitored.
Consequently, we continue to believe that any implied consent from
SSA employees is questionable. We believe this concern is best remedied
by either modifying the MOUs or by including a message on the 800
number to request the consent of the public to have their calls monitored.

FIRMR requires SSA to take continuous positive action to inform
the public of monitoring. FIRMR is silent as to what type of notice
is required. SSA believes that it satisfies this requirement by its
notification to the public through its public information pamphlets.
Certainly, SSA publications provide some notification to the public.
However, we disagree that this requirement of FIRMR is being met
by notification through SSA pamphlets. In addition, officials at
GSA stated that they believe SSA should have a pre-recorded message
on SSAs 800 number to inform the public of monitoring since
many callers may never receive SSAs public information pamphlets.

Recommendation:

We recommend that SSA:

2. Provide a message on the 800 number to satisfy the FIRMR requirement
of continuous positive action to inform the public of SSAs
monitoring practice.

SSA Comment

SSA commented that since FIRMR has been repealed, there is no current
requirement for continuous positive action to inform the public of
monitoring. However, it is reconsidering whether it will provide
the recommended notice to the public.

OIG Response

We believe FIRMR recognized the actual and perceived effect of monitoring
telephone calls on the privacy rights of individuals. The requirement
for continuous positive notice to inform the public of monitoring
addressed those concerns. Although SSA is not legally obligated to
follow FIRMR, we believe the public has the right to know that their
calls are being monitored. A message on the 800 number provides the
best assurance that the public is aware that their calls may be monitored.

FIRMR requires that SSA keep the number of monitored calls to the
minimum necessary to obtain a statistically valid sample. During
our review, we learned that SSA monitors calls in excess of the minimum
number necessary to obtain a statistically valid sample. SSA guidelines
for monitoring telephone conversations allow for unlimited monitoring
of TSRs calls for training purposes and for conduct problems.

As part of TSRs training, a unit supervisor will monitor up
to 100 percent of trainees calls in their first year on the
phone. They also have new TSRs listen to numerous calls of experienced
TSRs to learn how to best respond to calls. While we understand that
monitoring additional calls for trainees may be desirable, it is
not permitted by FIRMR. Unlimited monitoring of trainees exceeds
the minimum sampling requirements and is targeted at specific employees.
We believe SSA should address new TSRs proficiency in their
training program and that new TSRs should be fully trained before
answering calls from the public.

SSA will also monitor calls in excess of the minimum necessary when
it believes there is a conduct problem with a particular TSR, e.g.,
rudeness to the calling public. In these situations, supervisors
will monitor additional calls to evaluate the TSRs courtesy.
This practice also is not permitted by FIRMR. The regulations do
not specify any circumstances for additional monitoring of calls
when conduct is a problem. We believe SSA can address problems with
rude behavior on the phone without monitoring numerous conversations.
The rude behavior can be easily noticed and addressed by a supervisor
walking through the unit and observing TSRs while on the phone.

3. Monitor the minimum number of calls necessary to obtain a statistically
valid sample.

4. Address training needs and conduct problems by means other
than additional monitoring.

SSA Comment

SSA does not believe the monitoring of 100 percent of a TSRs
telephone calls violates the minimum sampling requirement of FIRMR.
It also does not believe it is practical to expect new TSRs to be
proficient in responding to calls without extensive monitoring by
mentors.

SSA also took exception to the statement that "rude behavior
can be easily noticed and addressed by a supervisor walking through
the unit and observing TSRs while on the phone." It noted that
the elimination of supervisory positions and new systems furniture
make visual observation of rude behavior more difficult.

OIG Response

The FIRMR requirement recognized that monitoring should be limited
and kept to a minimum. We agree that this may present challenges
to SSA trainers and supervisors. However, the GSA specifically stated
that this was not permitted by FIRMR since it is not sampling and
is targeted at specific individuals. GSA also noted that SSA needs
to consider the impact on the calling public of having additional
conversations monitored.

FIRMR states that the monitoring should be of a statistically valid
sample of calls. Statistical sampling requires that the sample be
representative of the population of calls. In order to achieve this,
the sample should be selected by a random process. In using a random
selection process, every item in the population has a known probability
of being selected. The process will eliminate personal bias or subjective
considerations for the selection of sample items. Judgment sampling
is not statistical sampling; it is discretionary. For example, selecting
a few calls "at random" is usually included in the category
of judgment sampling. Only by the use of statistical sampling can
SSA quantify, with any mathematical reliability, the quality of telephone
service provided to the public.

During our audit, we interviewed unit supervisors and technical
assistants who conduct most of the monitoring in TSCs. As part of
the interviews, we inquired about how calls are selected for monitoring.
We found that the sample of calls monitored are not statistical (representative)
and are not selected randomly. Unit supervisors and/or technical
assistants determine when they will monitor a call, which is usually
when their schedules permit. They usually listen to a few calls in
succession at their discretion and judgment. As a result, the information
gathered from monitoring does not provide reliable evidence to assess
the overall quality of service provided to the public.

Recommendation:

We recommend that SSA:

5. Use statistical sampling for the monitoring of telephone calls
as required by FIRMR.

SSA Comment

SSA has a proposed revision to its monitoring process which recommends
that unit level service observations be conducted at random. SSA
is also looking into purchasing software to do this for the 800 number
answering sites.

FIRMR prohibits those who monitor calls from recording the identity
(name, Social Security number, or telephone number) of the public
callers. Whenever a call is monitored by a supervisor, he/she will
provide documented feedback to the TSR. The feedback provides a summary
of the call and whether it was answered correctly by the TSR.

As part of our review, we randomly selected a sample of documented
feedback forms for 85 calls that were monitored. The forms were reviewed
to determine whether identifying information of the calling public
was recorded on the feedback forms. Our review showed that, in four
cases, identifying information of the calling public was improperly
recorded on the feedback forms.

SSA has reminded supervisors that identifying information of the
calling public cannot be recorded on the feedback forms. To ensure
that this is not overlooked, we believe there should be a notice
on the feedback forms to alert the monitor that identifying information
of the public callers cannot be recorded.

Recommendations:

We recommend that SSA:

6. Modify the feedback forms to include a statement that identifying
information of the public callers cannot be recorded.

7. Periodically review feedback forms to ensure identifying information
of the public callers is not recorded.

SSA Comment

SSA will remind monitors that identifying information of the calling
public should not be recorded on feedback forms. SSAs service
observation regulations will also address this issue.

Although FIRMR has been rescinded, SSA must continue to meet one
of the required exceptions in 18 U.S.C. sections 2510, et seq., in
order to continue its service observations. SSA can monitor calls
only if the requirements of the consent exception or the business
telephone exception are met.

Consent Exception- This exception permits
telephone monitoring at least one party consents to the monitoring.
We have discussed the relevant case law and elements of this requirement
in the section, Consensual Monitoring Under FIRMR. Based on our review,
we continue to believe SSA may be subject to legal challenges with
respect to whether it has the employees or publics consent
to monitor their telephone calls. Therefore, we reaffirm our recommendation
for SSA to ensure that the legal requirements for consent are met
in all cases of telephone monitoring.

Business Telephone Exception - This exception permits
telephone monitoring in a business setting if: (1) the telephone
or telephone equipment has been provided by the telephone company
or by the subscriber for connection to the subscribers telephone
service; and (2) the use of the telephone or telephone equipment
must be used in the ordinary course of business. Consequently, SSA
could monitor calls without the consent of either party if it meets
both exceptions.

The type of listening devices SSA uses has a direct bearing on whether
the business telephone exception is met. Our review of the relevant
case law indicates that some interception devices are specifically
prohibited by law. SSA uses several different devices to monitor
telephone conversations. However, since SSAs monitoring program
has been based on the consent provisions of FIRMR, we did not determine
whether any of these devices are prohibited under the business telephone
exception. We have concerns that some equipment SSA uses may be prohibited.
This concern was also noted in a recent legal opinion by SSAs
Office of the General Counsel (OGC) that suggested some of the monitoring
equipment SSA uses might not qualify for the business telephone exception.

If SSA plans to use the business telephone exception as the legal
basis for its monitoring program, it should determine whether any
of the equipment it uses is prohibited by law. In addition, if SSA
plans to use the business exception, it will have to modify the applicable
SSA/AFGE MOUs since they are based on the consent provisions of FIRMR.

8. Determine whether any of the monitoring equipment SSA uses
is prohibited under the business telephone exception.

9. Modify the applicable SSA/AFGE MOUs if it plans to use the
business telephone exception.

SSA Comment

SSA responded that the facts of a given case determine whether or
not a particular call was permissibly monitored. It will use the
consent exception as its primary legal defense to challenges to its
program. It may rely on the business telephone exception as a secondary
defense where applicable and necessary.

SSA also commented that it could find nothing in the current MOUs
that implies that its monitoring practices do not fall within the
business telephone exception, nor could it find anything in the MOUs
that state it has agreed to follow the consent provisions of the
FIRMR. Lastly, the FIRMR did not address or limit SSAs reliance
on the business telephone exception.

OIG Response

The Commissioners authorization for monitoring telephone calls
at SSA states that it is for the conduct of consensual public
service monitoring. It does not authorize monitoring under the business
telephone exception. While the MOUs do not specifically state that
SSA will follow the consent provisions of FIRMR, they are based on
the Commissioners authorization. Lastly, we strongly disagree
that FIRMR did not limit or prevent SSA from using the business telephone
exception. The FIRMR clearly specified that telephone monitoring
must be consensual.

If SSA plans to use the business telephone exception as a secondary
defense to its program, it can only be done prospectively after the
Commissioner authorizes it. If the business telephone exception is
authorized by the Commissioner, then SSA must still address whether
the equipment it uses is permitted under the business telephone exception
and must still modify the MOUs to allow for it.

We believe the repeal of FIRMR raises serious concerns for SSA and
other Federal agencies that monitor telephone calls. It is unclear
under what authority agencies are engaging in telephone monitoring.
FIRMR had very specific requirements which carefully prescribed the
manner in which agencies should monitor calls to the public. There
are also significant criminal or civil penalties when telephone monitoring
is improperly used.

Given these concerns, we believe new regulations are needed. However,
we encountered varying opinions as to which Federal agency has the
authority to promulgate regulations. We have been advised by GSA
that it retains the authority to prescribe regulations on telephone
monitoring; however, SSAs OGC believes SSA has the authority
to promulgate its own regulations. Regardless of where that authority
rests, we believe SSA needs to take expeditious action to resolve
this issue to ensure its telephone monitoring program is legally
supportable.

SSA replied that it could find no current GSA or OMB guidance that
prohibits telephone monitoring. It asserts that the only current
Federal limitation on telephone monitoring is 18 U.S.C. sections
2510-2520.

OIG Response

We recommend that SSA confirm with appropriate officials at GSA
and OMB that it is authorized to promulgate regulations with respect
to telephone monitoring.

We believe that Federal law has preempted the issue of telephone
monitoring, therefore, State laws would not affect SSAs telephone
monitoring program. This is because the Supremacy Clause of the U.S.
Constitution prevents State regulation unless Congress affirmatively
declares that Federal agencies are subject to State laws. We found
nothing in our review of the Federal law to indicate that Congress
has affirmatively declared that a Federal agency would be required
to submit to State laws for telephone monitoring.

However, the SSA/AFGE MOUs include provisions which SSA and AFGE
have agreed to follow. Included in the MOUs is the agreement that
SSA will be bound by applicable State laws. This is a contract provision
and may be binding on SSA even though SSA would not otherwise be
compelled to obey State laws. We found no indication that SSA has
identified the conditions of the applicable State laws it has agreed
to follow. This could have a significant effect on the manner in
which SSA monitors calls. For example, several States require that
both or all parties to a telephone conversation must have knowledge
and consent to the monitoring. In addition, some States do not recognize
the business telephone exception.

Recommendation:

We recommend that SSA:

11. Identify and review any applicable State laws it has agreed
to follow and develop policies and procedures to ensure compliance.
Modify any MOUs to reflect SSAs interpretation with respect
to the applicability of State laws.

SSA Comment

Although SSA agreed that the Supremacy Clause of the Constitution
prevents State regulation unless Congress affirmatively declares
that Federal agencies are subject to State laws, it does not believe
that the statement in the MOUs requires them to follow applicable
State laws. SSAs interpretation of the MOUs is that it obligates
SSA to comply with State statutes only if Congress acts to make the
State statutes applicable to SSA.

OIG Response

We agree that the Supremacy Clause ordinarily exempts SSA from State
regulations. However, the fact that the provision in the MOU is subject
to interpretation presents a litigation risk that a Court could find
that State laws apply to SSAs telephone monitoring program.

FIRMR required agencies to establish controls to ensure compliance
with its regulations. In addition, OMB Circular A-123 requires agencies
to establish general management controls to ensure compliance with
the law and to provide reasonable assurance that assets are safeguarded
against unauthorized use.

A-123 requires that:

Access to resources and records should be limited to authorized
individuals and accountability for the custody and use of resources
should be assigned and maintained.

Transactions should be promptly recorded, properly classified,
and accounted for in order to prepare timely accounts and reliable
financial and other reports. The documentation for transactions,
management controls, and other significant events must be clear
and readily available for examination.

During our review, we found that SSA has limited or no controls
in place to ensure compliance with 18 U.S.C. sections 2510, et seq.,
or applicable laws and regulations. We identified the following weaknesses
with the Service Observation System which SSA uses to monitor telephone
calls.

As part of our audit, we planned to review an historical sample
of telephone calls that were monitored by SSA personnel. This was
necessary so we could determine whether SSAs monitoring practices
were in compliance with FIRMR, SSA policy, and the various AFGE MOUs.
We were unable to review any records of monitored calls because SSAs
monitoring software does not produce any type of record or audit
trail when calls are monitored. In addition, SSA cannot provide basic
management information on the number and types of calls that are
being monitored.

Since there is no historical record of telephone calls that have
been monitored, we could not determine whether:

We believe the absence of an audit trail for monitored telephone
conversations does not meet the criteria for recording and documenting
transactions as specified by OMB Circular A-123. Given this limitation,
SSA does not have reasonable assurance that monitoring is always
being used for its authorized purposes.

The ability to monitor calls should be restricted only to authorized
individuals. In an automated system, access is normally restricted
by the assignment of a personal identification number (PIN) to identify
users, passwords to authenticate their identity, and profiles to
specify what functions may be performed by a user.

As part of our review, we evaluated the controls that restrict access
to SSAs monitoring software. We found that the access controls
were minimal. In most cases, observers are not required to enter
a PIN or password in order to monitor telephone conversations. Consequently,
there is no systematic means to prevent or detect unauthorized users
from monitoring calls. In addition, there are no means to determine
and authenticate the identity of individuals who use the monitoring
software.

We noted that SSA has some safeguards against unauthorized access
to monitoring. Access to monitoring calls is restricted since usually
it can only be done from a supervisors or technical assistants
telephone. However, in our opinion this provides only limited assurance
against unauthorized access to monitoring calls. This limited assurance
is exacerbated by the following conditions we identified with the
monitoring software.

In order to ensure that authorized individuals are monitoring calls
in accordance with FIRMR, SSA policy, and the various AFGE MOUs,
there should be some safeguards to ensure persons are acting within
the scope of their authority. Based on our review of SSAs monitoring
software, we found there were only limited controls to ensure individuals
do not exceed the scope of their authority. We identified the following
weaknesses with the software:

It does not restrict observers from listening to calls of employees
outside their areas of authority or responsibility. For example,
any of the 46 unit supervisors and 45 technical assistants at the
Baltimore and Auburn TSCs can listen to calls in their respective
units and in all of the other units within the TSC.

It allows for unauthorized monitoring of calls that take place
on administrative phones and employees personal phone lines.
For example, in the Baltimore TSC, the 23 unit supervisors and
22 technical assistants can listen to calls on 23 administrative
phones and on the personal phone lines of 487 TSRs.

It allows for monitoring of calls from administrative and clerical
phones to which no one is personally assigned, and by individuals
who do not have the authority to monitor calls. For example, in
the Auburn TSC, there are 39 phones that improperly have monitoring
capability. This includes administrative or unit phones, secretarial
phones, phones in the mail room, and a phone in the local AFGE
union office.

It allows for monitoring from phones outside of the Agency. Monitoring
can be performed from remote locations outside of SSAs phone
system. Any touch tone telephone can be used (including individuals home
phones) to monitor telephone conversations.

We believe the monitoring software should be revised to prevent these
types of improper monitoring. This condition is exacerbated by the
fact that improper monitoring can be done without any record or audit
trail being established. Consequently, there is also no systematic
means to detect instances in which individuals have improperly
exceeded their authority to monitor telephone conversations.

Recommendations:

We recommend that SSA modify the monitoring software to:

12. Establish a record and/or audit trail whenever a call is monitored.

SSA Comment

SSA will explore this recommendation to determine if it would be
cost effective and beneficial to the monitoring process and will
make a final determination by the end of the calendar year.

13. Require a PIN/password for access.

SSA Comment

SSA will explore this recommendation and make a final determination
no later than the end of this calendar year.

14. Prevent observers from listening to calls of employees outside
their areas of authority or responsibility.

SSA Comment

SSA will not pursue this recommendation. Because of the limited
number of supervisory positions, they must have the flexibility to
monitor calls of employees in other units.

OIG Response

Some limits should be established to prevent observers from listening
to calls of employees for whom they have no supervisory responsibilities.
In cases where it is not practical to do so, SSA should use the audit
trail as suggested in recommendation 12 to detect and investigate
monitoring of this type to ensure it is proper.

15. Prevent the monitoring of calls on administrative phones,
as well as employees personal phone lines.

SSA Comment

SSA agreed with this recommendation and will instruct offices to
ensure that all telephones not subject to monitoring be blocked.

16. Remove the monitoring capability from all unauthorized administrative
and clerical phones.

SSA Comment

SSA agreed with this recommendation and will instruct offices to
remove the monitoring capability from all telephones that will not
be used for monitoring calls.

17. Prevent the monitoring of calls from any phone that is outside
of SSAs phone system.

SSA Comment

SSA will explore the technical feasibility of this recommendation
and reach a final decision within 90 days.

18. Use the audit trail to identify and investigate instances
of improper monitoring.

SSA Comment

If SSA decides to establish an audit trail, it will be used to investigate
instances of improper monitoring.

OMB Circular A-123 states that agency managers should continuously
monitor and improve the effectiveness of management controls associated
with their programs. This includes periodic evaluations and reviews
expressly for the purpose of assessing management controls.

During our review, we learned that SSA had received congressional
inquiries in1993 that expressed concerns about SSAs telephone
monitoring practices. As a result of these concerns, SSAs Deputy
Commissioner for Operations requested that each Regional Commissioner
provide a plan to do periodic reviews of the telephone monitoring
practices in his/her region to ensure compliance with FIRMR and AFGE
MOUs. The Deputy Commissioner for Operations noted that, despite
attempts to correct the problems, some TSC managers continue to violate
the regulations and MOUs regarding the proper monitoring of calls.

In our review of the Baltimore, Maryland, and Auburn, Washington,
TSCs, we found that neither office has performed, nor plans to perform,
any periodic reviews of the monitoring practices in their offices.

Recommendation:

We recommend that SSA:

19. Conduct periodic reviews of the telephone monitoring program
to ensure it is in compliance with applicable laws and regulations,
SSA policy, and SSA/AFGE MOUs. The result of these reviews should
be reported to the Commissioner.

SSA Comment

SSA agreed that it would be a good practice to periodically review
the Agencys monitoring practices.

SSAs monitoring of telephone conversations is a valuable assessment
method. It is likely the most effective method to determine the quality
of service SSA is providing to the public through its 800 number.
However, this practice must be designed with appropriate safeguards
because of the actual and perceived effect on the privacy rights
of the employees and the calling public. This practice also exposes
SSA to criminal or civil penalties imposed by Federal laws when monitoring
is improperly applied. FIRMR recognized the need to limit the circumstances
for which monitoring is permitted and to carefully control telephone
monitoring activities to ensure it is not abused. Since FIRMR has
been rescinded, we believe the authority to monitor telephone conversations
is questionable and there is a compelling need for new regulations.

We also believe the conditions noted in this report represent an
unacceptable risk of noncompliance with the Federal laws and regulations
and that the telephone monitoring practice is not being used for
its intended purpose. The corrective actions recommended, if implemented,
will improve the legal basis for SSA s telephone monitoring
practices and will minimize the likelihood of improper monitoring.